BULL-3245: Add dependency check job

bbe7223a · Douglas Lagemann · 9e813f89 · bbe7223a · bbe7223a · bbe7223a
Commit bbe7223a authored 3 months ago by Douglas Lagemann
--- a/docker/pipeline-jobs/docker-compose-dependency-check.yml
+++ b/docker/pipeline-jobs/docker-compose-dependency-check.yml
+services:
+
+  dependency-check<<subProject>>:
+    image: owasp/dependency-check:11.1.1
+    container_name: dependency-check<<subProject>>
+    entrypoint: ["/local-dev/${BASE_SCRIPTS_DIR}/dependency-check/entrypoint.sh"]
+    working_dir: /local-dev
+    environment:
+      - REPORTS_DIR=/local-dev/${BASE_REPORTS_DIR}/dependency-check<<subProject>>
+      - SCRIPTS_DIR=/local-dev/${BASE_SCRIPTS_DIR}/dependency-check
+      - UTILITY_DIR=/local-dev/${BASE_SCRIPTS_DIR}/utility
+      - SCAN_ITEM=/app/<<dependencyFile>>
+      - CI_JOB_NAME=dependency-check<<subProject>>
+      - DATA_DIRECTORY=/usr/share/dependency-check/data
+      - CACHE_DIRECTORY=/usr/share/dependency-check/data/cache
+      - DC_PROJECT="xx_project_name_xx<<subProject>>"
+    volumes:
+      - ./:/local-dev
+      - ./xx_project_name_xx<<subProject>>:/app
+      - dependency-check-data:/usr/share/dependency-check/data
+
+volumes:
+  dependency-check-data:
+    name: dependency-check-data
+
--- a/formulas/baselines/node.yml
+++ b/formulas/baselines/node.yml
@@ -3,6 +3,7 @@ useBaseline: formulas/baselines/universal.yml
 pipeline:
  substitutions:
    exclusions: package-lock.json node_modules
+    dependencyFile: package-lock.json
  pipelineJobs:
    npm-lint:
      composeFile: docker/pipeline-jobs/docker-compose-npm-lint.yml

--- a/formulas/baselines/universal.yml
+++ b/formulas/baselines/universal.yml
@@ -2,6 +2,7 @@ pipeline:
  substitutions:
    subProject: ''
    exclusions: ''
+    dependencyFile: ''
  pipelineJobs:
    trufflehog:
      composeFile: docker/pipeline-jobs/docker-compose-trufflehog.yml
@@ -9,6 +10,8 @@ pipeline:
      composeFile: docker/pipeline-jobs/docker-compose-dockerfile-lint.yml
    find-unauthorized:
      composeFile: docker/pipeline-jobs/docker-compose-find-unauthorized.yml
+    dependency-check:
+      composeFile: docker/pipeline-jobs/docker-compose-dependency-check.yml

 getLocalDevDirs:
  - from: root
@@ -23,6 +26,8 @@ getLocalDevDirs:
    to: scripts/dockerfile-lint
  - from: scripts/find-unauthorized
    to: scripts/find-unauthorized
+  - from: scripts/dependency-check
+    to: scripts/dependency-check

 getLocalDevFiles:
  - from: scripts/setup.sh

--- a/scripts/dependency-check/entrypoint.sh
+++ b/scripts/dependency-check/entrypoint.sh
+#!/bin/sh
+# This is a combination of a script designed to run Dependency Check on a local machine
+# and the CI/CD execution steps from https://code.il2.dso.mil/platform-one/devops/pipeline-templates/-/blob/master/jobs/dependency-check/base.yml
+
+mkdir -p ${REPORTS_DIR}
+rm -f ${REPORTS_DIR}/*
+mkdir -p ${CACHE_DIRECTORY}
+
+# monitor status disabled until we can run the gate check script
+# ${UTILITY_DIR}/monitorstatus.sh -j ${CI_JOB_NAME} -s fail -r config -l "Job run in local dev"
+# set -o pipefail
+
+/usr/share/dependency-check/bin/dependency-check.sh \
+  --project ${DC_PROJECT} \
+  --scan ${SCAN_ITEM} \
+  --format "HTML" --format "JSON" \
+  --out ${REPORTS_DIR}
+
+# monitor status disabled until we can run the gate check script, dependent on sonarqube server
+# if [ "$?" == "0" ]; then
+#   ${UTILITY_DIR}/monitorstatus.sh -j ${CI_JOB_NAME} -s pass -r pass
+# else
+#   if [ -s "${REPORTS_DIR}/${CI_JOB_NAME}.out" ]; then
+#     ${UTILITY_DIR}/monitorstatus.sh -j ${CI_JOB_NAME} -r findings -l "${CI_JOB_NAME} process found findings, check job for details"
+#   fi
+#   exit 1
+# fi